On Fri 09 Jan 2015 at 10:41:02 -0500, Jerry Stuckle wrote: > On 1/8/2015 3:02 PM, Brian wrote: > > > > If you have resorted to using iptables you have lost it. A standard > > Debian install doesn't need it. > > I disagree. iptables is a great tool for blocking unwanted connections. > > What do you have against it?
I have nothing against it and, in fact, agree with you. I'll enlarge on my sketchy remarks. The OP installs Debian with (say) Gnome. There are no listening services so there is no need to block any connections. If it happened that sshd was installed at the same time (or later) the use of ssh keys or a very strong password for authentication is sufficient to protect the service. However, there can be a big annoyance factor when attempts to log on the server take place. Software like fail2ban (which uses iptables) can be some comfort here and will at least reduce the noise in auth.log. Last year this machine saw about 4000 such random connections. I don't know how typical that is but none of them caused me to lose any sleep. Iptables can do a great job blocking unwanted connections. If someone wants to use it as a way of obtaining peace of mind, that's fine. But it doesn't add one iota of security to a well-set-up and well-managed sshd. With more services running the need is to understand their different security needs. Substituting the use of iptables for understanding isn't (IMO) something that needs to be top of the list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109175103.ga15...@copernicus.demon.co.uk
